From 9ba57e5242f4e7fc3a02497efbea22cb5d7f2f08 Mon Sep 17 00:00:00 2001
From: Harvie <tomas@mudrunka.cz>
Date: Fri, 6 Aug 2010 04:14:14 +0200
Subject: [PATCH] New dnsval.conf: DLV support, commented examples, loglevel is
 now 5 only, added some notes, root anchor moved to externali file from
 trust-anchors package

---
 dnssec-tools/dnsval.conf | 60 ++++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 24 deletions(-)

diff --git a/dnssec-tools/dnsval.conf b/dnssec-tools/dnsval.conf
index d6e77e0..8ff6dd2 100644
--- a/dnssec-tools/dnsval.conf
+++ b/dnssec-tools/dnsval.conf
@@ -2,8 +2,12 @@
 #######################################################################
 ###
 ###  You should NOT modify this file, use the following files instead:
-###  - /etc/dnssec-tools/dnsval.conf.head
-###  - /etc/dnssec-tools/dnsval.conf.tail
+###  - /etc/dnssec-tools/dnsval.conf.head (for specifiing defaults)
+###  - /etc/dnssec-tools/dnsval.conf.tail (for overriding)
+###
+###  Root-zone trust anchor(s) are in the following file:
+###  - /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf
+###  (you will probably not need to modify it manualy)
 ###
 #######################################################################
 #######################################################################
@@ -13,7 +17,7 @@
 ##################################
 
 include /etc/dnssec-tools/dnsval.conf.head
-include /usr/share/dnssec-trust-anchors/root-anchor.dnsval.conf
+include /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf
 # TRUSTMAN-ACTION bind-include /var/opt/named/named.conf
 
 ##################################
@@ -24,55 +28,63 @@ global-options
 	trust-oob-answers yes
 	edns0-size 1492
 	env-policy enable
-	app-policy disable
-	log 10:stderr
+	app-policy enable
+	log 5:stderr
 ;
 
 ##################################
 # Default policies
 ##################################
 
-#:	trust-anchor
-#	. "974 0 0 MIIDyjCCArKgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBLMQ4wDAYDVQQKEwVJQ0FOTjEYMBYGA1UEAxMPSUNBTk4gRE5TU0VDIENBMR8wHQYJKoZIhvcNAQkBExBkbnNzZWNAaWNhbm4ub3JnMB4XDTEwMDcxNDE3MDEyNVoXDTExMDcxNDE3MDEyNVowgbMxDjAMBgNVBAoTBUlDQU5OMQ0wCwYDVQQLEwRJQU5BMTAwLgYDVQQDEydSb290IFpvbmUgS1NLIDIwMTAtMDYtMTZUMjE6MTk6MjQrMDA6MDAxYDBeBggrBgEEAYdoNRNSLiBJTiBEUyAxOTAzNiA4IDIgNDlBQUMxMUQ3QjZGNjQ0NjcwMkU1NEExNjA3MzcxNjA3QTFBNDE4NTUyMDBGRDJDRTFDRERFMzJGMjRFOEZCNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0CAwEAAaNQME4wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSPskJpw53kPPoTuf/ywKTv2A/oIjAdBgNVHQ4EFgQUQRqS+htWdh5iK3HNGv27Q5lfCckwDQYJKoZIhvcNAQELBQADggEBAI+NnJjL8bGgilX7lb5b6eMimeZeRw6fMgkVQzxt9c4kQ6p8h048II4aP8QUBIzeDZtKuvRsyNjM9oil9OUXCNp3NTY/bsr6oSy9kwdz1G/bg7OfEb+3QXPmXTvCPpwCjIBsz9nfXp+bjzJ0vGi0YkVImML9EClLCOfnHtwrG+fQQSjyCeppHZVe354qwjOv/3Lf7gH0m9FudgA4tFZ7ncsmHn2OKSlJZkkdxZegY83ZigxjMCvL2hG1lcRhast6RJSVaAi81mwQhQk2c3h2HM5DhDR1WikGqBeKID//MoI3v2CK43wpm6I/zciC/Avg1tyOtCFHiAR2lD9b9U/M598="
-#	dnssec-tools.org    DS  54556  5  2  6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71A476E282
+# Note that ArchLinux distribution by default uses root-zone trust anchor from file
+# /usr/share/dnssec-trust-anchors/root-anchors.dnsval.conf and it will get overrided
+# by setting trust-anchor again, so if you want to add your user-specific keys, you
+# should also include the original root zone anchor.
+
+#: trust-anchor
+#	dlv.isc.org DS 19297 5 2 A11D16F6733983E159EDF8053B2FB57B479D81A309A50EAA79A81AF4 8A47C617
+#	dlv.isc.org DS 19297 5 1 7D480DBEF530374D8A4333FCB22106EB10013B46
 #;
 
 #: zone-security-expectation
 #	. validate
-#	dnssec-tools.org validate
+#;
+
+#: dlv-trust-points 
+#	. dlv.isc.org
 #;
 
 : provably-insecure-status
 	. trusted
 ;
 
-: clock-skew
-	. 0
-;
+#: clock-skew
+#	. 0
+#;
 
 ##################################
 # MTA Policies
 ##################################
 
-mta provably-insecure-status
-	. trusted
-;
+#mta provably-insecure-status
+#	. trusted
+#;
 
-mta clock-skew
-	. -1
-;
+#mta clock-skew
+#	. -1
+#;
 
 ##################################
 # Web Browser Policies
 ##################################
 
-browser provably-insecure-status
-	. trusted
-;
+#browser provably-insecure-status
+#	. trusted
+#;
 
-browser clock-skew
-	. 0
-;
+#browser clock-skew
+#	. 0
+#;
 
 
 ##################################
-- 
2.30.2